Hidden Complexities: Understanding Biometrics

Biometrics have become a standard in banking, being used to login to bank accounts.

Hidden Complexities: Understanding Biometrics

In discussing technological advances in the field of biometrics, it is hard not to recall la scene degoûtant from Steven Spielberg’s Minority Report. In this particular futuristic dystopian scenario, Tom Cruise’s character has to avoid advanced retina scanning cameras within digital advertising billboards by undergoing an eye transplant. Even if this particular narrative were to prove prescient, nonetheless the technology for this and other forms of authentication techniques are still in their infancy.

Security of all kinds is a curious sort of arms race, between those trying to beat current systems and institutions in place by any means necessary, and those who need the security to protect particular assets trying to remain one step ahead. Where originally safes were used to protect valuable items, automation and computers are now used. Perhaps the most common example of contemporary biometric security is the fingerprint identification on Apple and Samsung phones. Technically this is not a new concept, with fingerprint identification dating back to the 19th century. What is new is the concept of automating the entire process. Put simply, biometrics takes already existing physiological determinants: retinas, fingerprints, the voice, even the whole face. It then digitizes the data and compares it with a preexisting digital template, accepting or rejecting it based on similarity to the template.

Mathematical Trickery

It is natural to want to make use of the superior processing power of modern day computers, a consequence of the now defunct observational phenomena known as Moore’s Law, in biometric software that has to process vast quantities of data. Currently in science the statistical tool Principal Component Analysis (PCA) is the favoured procedure for reducing the total sum of this information. This technique, originally used for pattern recognition, has been applied to facial recognition and other forms of biometrics. This is useful, as it can remove background features (such as white backgrounds in passport pictures) and can determine different shades of colour in facial features. The logic and theory behind the technique is complex but it essentially allows the system to more easily distinguish individual sample points of the target. It reduces the number of total dimensions of the data (3D to 2D; 2D to 1D etc.) whilst maintaining the variation between these individual data points.

Though PCA is a powerful technique, its weaknesses with regard to analysing changes in lighting and facial expressions explain why biometrics are not yet as Spielberg depicted. These externalities all add ‘noise’ to the system which is hard to eradicate. There are other natural processes which hamper the model: aging, facial hair and accessories are just a few, though naturally one could just update the template picture over time for now. It is unlikely that the inherent problems of this method can be removed by mere tweaking of PCA. Parallel work in psychology and cognitive science will need time to be modelled, combined and refined with PCA and other statistical techniques currently being examined in biometric research.

May the Buyer Beware

Naturally, society is built on capital, hence the demand of consumers, banks and businesses to protect financial information as stringently as possible. With the number of news stories of hackers stealing eye-watering sums of money increasing year on year, it is no wonder that customers are now expecting more from their financial services. The industry has responded and biometrics are essentially a mainstream standard in banking, being used to login to bank accounts. Even the ubiquitous contactless payment is likely to be replaced by fingerprint payments, which have been trialed in Japan and France.

Despite the rollout of such services, the fingerprint in particular is more rudimentary and easily forgeable than other forms of biometrics such as DNA analysis. Security researchers have demonstrated it may only take photographs of subjects to hack into their iPhone. This method can beat optical scanners, which flash bright light at your finger and take an image and also eludes even capacitive scanners such as those in the iPhone. Fortunately this hack is insufficient when utilising thermal scanners which can sense temperature differences between fingerprint ridges and valleys. This is the gold standard for fingerprint biometrics but is expensive and its consistency of performance can vary greatly based on environmental temperatures (no doubt a fault in the statistical model underlying the software). Even this version of the technology has weaknesses, Play-Doh and ‘thinking putty’ have been able to beat even these advanced sensors.

Security inherently works on margins. In reality it is more difficult to be able to acquire fingerprints of an unwilling participant and be able to use this mold before the subject has cancelled their account. This is much more complicated than using pin codes or passwords that might have been phished or hacked.  

Should you, Shouldn’t you?  

‘Your scientists were so preoccupied with whether or not they could, they didn’t stop to think if they should’ – Ian Malcolm, Jurassic Park

Rather like art in all its forms, science fiction as a genre confronts difficult questions regarding unfettered discovery and implementation of these discoveries. One of the primary fears of consumers when it comes to biometrics is data mining, and guarantees from those providing services that their important details will be protected and not sold to the highest bidder. This is particularly important in biometrics where physical characteristics are not as easily changed as a pin code. Though the assumption may be that as biometrics become more ubiquitous, the public will become more trusting, industries using such security features would have a moral obligation to guarantee safeguards and protection of the data of their consumers, following their demands in this particularly sensitive area and not merely paying it lip service. A business would have to demonstrate it was acting in the best interests of its customers before rolling out new technologies. The new technology is staggering as it is elegant, but it should be applied with modesty and understanding.